CVE-2022-20699

CRITICAL KEV

Cisco RV340, RV340W, RV345, RV345P Firmware < 1.0.03.24 - Unauthenticated Remote Code Execution

Title source: llm

Exploitation Summary

CVE-2022-20699 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 4 public exploits from researchers including Audiobahn, puckiestyle, Pedro Ribeiro <[email protected]>, including a Metasploit module exploits/linux/misc/cisco_rv340_sslvpn.

AI-analyzed exploit summary This PoC exploits a stack-based buffer overflow in Cisco RV340 WAN's SSL VPN service (CVE-2022-20699) to achieve unauthenticated remote code execution. It sends a crafted payload to trigger the vulnerability via an HTTP POST request to port 8443.

Description

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.

Exploits (4)

nomisec WORKING POC 238 stars

by Audiobahn · remote

https://github.com/Audiobahn/CVE-2022-20699

View Code ZIP pw:eip

This PoC exploits a stack-based buffer overflow in Cisco RV340 WAN's SSL VPN service (CVE-2022-20699) to achieve unauthenticated remote code execution. It sends a crafted payload to trigger the vulnerability via an HTTP POST request to port 8443.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cisco RV340 WAN (SSL VPN service)

No auth needed

Prerequisites: Network access to the target's SSL VPN service (port 8443) · Target device must be vulnerable to CVE-2022-20699

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by puckiestyle · remote

https://github.com/puckiestyle/CVE-2022-20699

View Code ZIP pw:eip

This PoC exploits a stack-based buffer overflow in Cisco AnyConnect VPN (CVE-2022-20699) to achieve unauthenticated remote code execution. It sends a crafted payload to trigger the vulnerability via an HTTP POST request to the target's SSL VPN service.

Classification

Working Poc 80%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cisco AnyConnect VPN (RV340 WAN)

No auth needed

Prerequisites: Target running vulnerable Cisco AnyConnect VPN · Network access to port 8443

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/rdomanski/Exploits_and_Advisories

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2022-20699, a stack-based buffer overflow in Cisco RV340 VPN Gateway's SSL VPN service. The exploit includes a Python script that crafts a malicious payload to achieve remote code execution as root, along with a detailed technical writeup explaining the vulnerability and exploitation process.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cisco RV340 VPN Gateway (firmware versions up to and including v1.0.03.24)

No auth needed

Prerequisites: SSL VPN service (sslvpnd) must be running on the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC GOOD

by Pedro Ribeiro <[email protected]> · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/cisco_rv340_sslvpn.rb

View Code ZIP pw:eip

This Metasploit module exploits a stack buffer overflow in Cisco RV340 SSL VPN (CVE-2022-20699) to achieve unauthenticated remote code execution. It uses custom ARMLE shellcode to establish a reverse root shell, targeting firmware versions <= 1.0.03.24.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: Cisco RV340 Firmware Version <= 1.0.03.24

No auth needed

Prerequisites: Network access to the target's SSL VPN service (port 8443) · Vulnerable firmware version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-22-414/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/167113/Cisco-RV340-SSL-VPN-Unauthenticated-Remote-Code-Execution.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20699

Scores

CVSS v3 10.0

EPSS 0.8940

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-03

VulnCheck KEV 2022-03-03

InTheWild.io 2022-03-03

ENISA EUVD EUVD-2022-25949

CWE

CWE-1284 CWE-121

Status published

Products (4)

cisco/rv340_firmware < 1.0.03.24

cisco/rv340w_firmware < 1.0.03.24

cisco/rv345_firmware < 1.0.03.24

cisco/rv345p_firmware < 1.0.03.24

Published Feb 10, 2022

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026